Bulletin 345

NOTICE OF RISK TO PERSONAL DATA ACT

During its First Special Session, the 122nd Maine Legislature enacted the Notice of Risk to Personal Data Act, P.L. 2005, c. 379, effective January 1, 2006, at 10 M.R.S.A. § 1346 - § 1349 (“Data Act”). The Data Act requires information brokers to notify consumers if unauthorized persons acquire personal data that could result in identity theft. In response to concerns that the Data Act does not require other businesses, including insurance companies, to make such disclosures, during its Second Regular Session, the 122nd Legislature enacted Public Law 2006, Chapter 583 (L.D. 2017). The amendments will be effective January 31, 2007.

The purpose of this bulletin is to clarify the responsibilities under the Data Act of persons and entities regulated by the Superintendent. Provisions and amendments of interest to persons and entities involved in the business of insurance in Maine include:

The Data Act will apply to persons, as defined in 10 M.R.S.A. §1347(5), as well as to information brokers. Section 1347(5) in part defines person to include an “individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity.” This definition covers persons and entities licensed or regulated by the Superintendent—insurers, producers, adjusters, and third-party administrators, for example—who will enforce the Data Act as to those persons and entities.

Section 1348(1) requires an information broker or person who “maintain[s] computerized data that includes personal information,” after becoming aware of a security system breach, to “conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused.” As the purpose of the Data Act is to warn those at risk of identity theft or other loss resulting from release of personal information so that they can take steps to protect themselves, regulated persons should not hesitate to investigate breaches of their systems. The Superintendent also advises that investigations should be tailored to the facts of each breach.

Section 1348(1) also requires an information broker to notify each Maine resident whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person, of the breach. Persons other than information brokers will have to give such notice if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur. The notice must be given “as expediently as possible and without unreasonable delay.” Section 1347(5) provides that the term “person” is not to be construed to require “duplicative notice by more than one individual ... or other entity involved in the same transaction.”

Section 1348(4) requires persons to notify nationwide consumer reporting agencies of breaches that require notification to “more than 1,000 persons at a single time.” The Superintendent interprets this threshold to include both Maine residents and persons who live elsewhere. The notice given to consumer reporting agencies must include the date of the breach, the estimated number of persons affected by the breach, if known, and the actual or anticipated date that persons were or will be notified of the breach.

Those licensed by the Superintendent will also have to notify the Superintendent, under section 1348(5), of breaches that require notice under section 1348(1). In addition to the information required by section 1348(4) and mentioned in the previous paragraph, the notice to the Superintendent should include a description of the breach, the number of Maine residents affected by the breach, if known, a copy of the notice and other information sent to affected persons, a description of other curative steps taken, and the name and contact information for the person whom the Superintendent may contact about the breach.

Anyone complying with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law or other provisions of Maine law is deemed to have met the requirements of the Data Act if such other law, rules, regulations or guidelines provide for notification procedures at least as protective as those of the Data Act.

Licensed entities are responsible for familiarizing themselves with the specific provisions of, and complying with, the Data Act. The law is available on the State of Maine’s internet site at this link:
http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.html. The Department of Professional and Financial Regulation has prepared FAQs related to the Data Act, available at this link: Data Breach FAQs. Additionally, persons may direct questions to Bureau staff by calling 1-800-300-5000.

November 8, 2006

______________________________________

Alessandro A. Iuppa

Superintendent of Insurance

NOTE: This bulletin is intended solely for informational purposes. It is not intended to set forth legal rights, duties or privileges nor is it intended to provide legal advice. Readers should consult applicable statutes and regulations and contact the Bureau of Insurance if additional information is needed.